Top HTTPS & HTTP/2 Errors and Practical Fixes

General diagnostic step

Before troubleshooting any HTTPS or HTTP/2 problem, run the Qualys SSL Labs SSL Server Test. It detects most configuration issues.

Let’s Encrypt validation failure

If the ACME server cannot reach your server, validation fails. Switch to acme.sh and use its DNS‑validation mode, which usually resolves the problem.

Chrome 53 ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

This error appears when accessing sites that use Symantec certificates. It is caused by a Chrome bug. Updating Chrome to the latest version fixes it. Reference URLs: https://bugs.chromium.org/p/chromium/issues/detail?id=664177 https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT2160

Browser reports certificate error

Ensure the site presents a valid CA‑issued certificate and includes the full certificate chain (site certificate plus all intermediate certificates). Missing intermediates cause browsers to reject the connection or degrade TLS handshake performance.

SNI not supported by legacy browsers

Old browsers such as IE8 on Windows XP cannot handle Server Name Indication (SNI). When multiple HTTPS hosts share an IP, these browsers receive the wrong certificate. Mitigations:

Host each certificate on a separate IP or server.

Use a SAN (Subject Alternative Name) certificate that covers all domains.

Drop support for browsers that lack SNI.

Incorrect system time

A client with an inaccurate clock triggers errors like Chrome’s ERR_CERT_DATE_INVALID. Verify and correct the system time on the client machine.

ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY after enabling HTTP/2

The typical cause is an improper ssl_ciphers configuration in Nginx. Align the cipher suite with Mozilla’s recommended TLS configuration or Cloudflare’s best‑practice list.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Common causes:

Using outdated protocol versions (e.g., only SSLv3).

Configuring weak ciphers (e.g., RC4 only).

Serving only ECC certificates to browsers that lack ECC support. See the guide “Starting with ECC Certificates” for work‑arounds: https://imququ.com/post/ecc-certificate.html

Nginx serves HTTP/2 but clients fall back to HTTP/1.1

Chrome 51+ dropped NPN support and requires ALPN. Ensure the server’s OpenSSL version is ≥ 1.0.2 (which adds ALPN support) and that Nginx is compiled against this OpenSSL version.

Mixed‑content after HTTPS migration

All external resources—CSS, JavaScript, images, fonts, API endpoints, form actions, etc.—must be loaded over HTTPS. Any HTTP references cause resources to be blocked or trigger “not secure” warnings.

Safari/iOS only access issues

If a site works in Chrome/Firefox but not in Safari or iOS browsers, the Certificate Transparency (CT) configuration is likely incorrect. Check the directory configured by ssl_ct_static_scts for missing or empty SCT files. Note that Google’s Aviator CT log stopped accepting submissions after 1 December 2016; avoid using it with ct-submit.